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CLAIMS 


1 1 . High-performance specification resolution method characterized in that it 

2 comprises: 

3 a) a step for formulating the audit conditions one wishes to detect using specification 
4. formulas expressing fraudulent entry or attack patterns or abnormal operations, this being 

5 non-limiting, to be verified by examining the records of the computer system's log file; 

6 b) a step for expanding formulas into subformulas; 

7 c) a step for scanning by an interpreter, which consists of generating, for each 

8 expanded formula in each record, Horn clauses to resolve in order to detect whether or not the 

9 formula is valid in this record, the Horn clauses expressing the implications resolvent of the 
10 subformulas for each record scanned, in positive clauses, i.e. coimting only a positive literal, 

Q 1 1 and in non-positive clauses, i.e. counting at least one negative literal, which negative literals 

l|l 12 form the negative part of the clause; 

p • 13 d) a step for the storing positive Horn clauses in a stack of worked subformulas, and a 

£ 14 step for storing, in a table comprising a representation, the implicating subformula(s) 

m 1 5 constituting the negative part of the clause and the link with the implicated subformula(s) 

1,:. 16 constituting the positive part of the clause, and storing in a counter the number of formulas or 

y;i 17 subformulas present in the negative part of the clause for each implicated subformula; 

y i IS e) a st^p for resolving the table based on each positive clause encountered, so as to 

19 generate either an output file or an action of the computer system; 

20 f) a step for iterating steps b) through e) until the scanning^of all the records in the log 

2 1 file is complete. 

1 2. Method according to claim 1, characterized in that a temporal logic is used for 

2 the formulation of the specification. 

1 3. Method according to claim 1, characterized in that the table is a matrix and is 

2 indexed in columns by the subscripts of the formulas appearing in the negative part of the 

3 Hom clauses, and the lines are the Horn clauses exactly. 

— \ 

1 4. Method according to claim 1, characterized in that the table is preferably 
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2 represented in the form of a sparse matrix, the columns being represented by means of 

3 chained lists and the lines remaining implicit. 

1 5. Method according to claim 1 or 2, characterized in that a step for optimizing 

2 the expansion of the formulas is obtained through a hash table in order to ensure that the same 

3 formula is not expanded more than once in each record. 

1 6. Method according to claim 1, characterized in that the log file is scanned only 

2 once from beginning to end. 

1 7. Computer system comprising storage means and means for executing 

2 programs for implementing the method according to any of claims 1 through 6, characterized 

3 in that the system comprises: 

H ' 4 - an adapting means for translating the information from the log file formulated in the 

5 specific language of the machine into a language comprehensible to an interpreting means; 

11= 6 - the interpreting means receiving the information from the adapter and receiving the 

1 formulation of the specification in the temporal logic in a specification formula in order to 

Cii 8 expand this formula and fill in the table and the stack of worked subformulas stored in a 

9 memory of the computer system and resulting from the scanning of the computer system's log 

W 10 file; 

p 11 - a clause processing algorithm executed by the computer system, which makes it 

12 possible to resolve the Hom clauses using the information from the table and the stack of 

13 worked subformulas, this clause processing algorithm generating an output file or generating 

14 an action. 
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